ZyXEL ZyWALL10 DoS

2002-03-13T00:00:00
ID SECURITYVULNS:DOC:2632
Type securityvulns
Reporter Securityvulns
Modified 2002-03-13T00:00:00

Description

[vendor status] About half a year ago I found a 'funny' DoS condition in the ZyWALL10. ZyXEL was informed, and they at least confirmed the bug, but i believe that's all i heard. According to www.zyxel.com a new firmware for the ZyWALL10 was released 2002/01/10 - i wrote an email to a ZyXEL employee, and the bug is fixed in this version.

[description] The DoS is simple, using nemesis-arp (from The NEMESIS Project) or a similar tool (like arp-fun) it's possible to make the firewall drop its LAN connection.

If you send an arp packet containing some bogus/random MAC address and the firewalls ip to the firewalls lan interface the firewall will 'down' the lan interface and never 'up' it again. The firewall needs a powercycle to restore function, but thats not all. The firewall never 'reopens' the lan interface, so you need to connect via a console cable, go to the lan setup menu, and press enter a few times to 'confirm' the settings to get it back in working order. Sort of a pain in the rear if the firewall is behind a locked door..

[reproduction] nemesis-arp -S 10.0.0.1 -D 10.0.0.1 -h de:ad:ba:be:f0:0d -d ed1

(in this case the firewall's IP is 10.0.0.1 and the ethernet adapter is ed1)

[hello] Manzon, Merkinball, SiGNOUT, evilpoo, ewadoh, |ole|, zaarnik, ZyXEL.

[bye] From me, Knud Erik Hшjgaard.